A Pattern-Based Approach to Transform Natural Text From Laws Into Compliance Controls in the Food Industry

(1)

A Pattern-based Approach to Transform Natural Text from Laws into Compliance Controls in the Food

Industry

Andrea Zasada, Michael Fellmann Rostock University, Rostock, Germany azasada@web.de, michael.fellmann@uni-rostock.de

Abstract. In the food industry, regulations support companies to specify what needs to be done to minimize the risks of processing, trade and consumption of inferior food products. Complying with regulations protects companies from expensive and negative perceived product recalls, sanctions and financial penalties. A compliant manufacturing process requires a process design that con- forms to legal requirements, quality and safety standards. Regulations are gen- erally described in natural text so that relevant information has to be retrieved and formalized before it can be used for process description. In this contribution, we use a sample of laws and an initial set of generic control patterns to ex- plore the scope of food regulations and the extent of formalization that can be reached by applying control patterns. All in all, we present a pattern-based approach to turn natural text from laws into formalized machine-readable constructs that may serve as basis for a compliant process design.

Keywords: Business Process Management, Control Pattern, Business Process Compliance, Regulations, Food Industry

1 Motivation and Introduction

The “act of being in alignment with guidelines, regulations and/or legislation” is de- fined as compliance [6]. This definition implies that compliance does not only com- prise the adherence to laws but also standards, codes of practice and business partner contracts [9]. Compliance has been driven by reforms of the American banking and insurance sector since the 1990s, when more and more scandals of money laundering and insider trading have been revealed [10, 14]. The increasing reform pressure final- ly summits in the Sarbanes-Oxley Act (SOX) of 2002 which makes listed companies responsible for establishing and maintaining an internal control system [11].

Similar observations can be made for the food industry, where compliance is seen as a current issue but an old problem that has been subject of many regulative at- tempts [10, 14]. Most frequent compliance offences in the food industry relate to vio- lations of disclosure information, tax and import regulations and to the processing and trade of spoiled food [4]. Business process compliance considers how a business op-

(2)

eration or service should be carried out to comply with a normative system while executing a process [5]. In this regard, control patterns are important since they can be understood as high level domain-specific templates which can be applied to specify recurring process requirements like regulations [13]. A regulation is a declarative written statement defined as “a rule or order issued by an executive authority or regulatory agency of a government and having the force of law” [7].

The purpose of this paper is to reduce the complexity regulations making implicit information accessible and machine-readable through the use of control patterns. The challenge is to identify and convert relevant process information from natural text into formalized constructs that can implemented by process execution languages. The investigation’s focus lies on the degree of formalization (extent) and the thematic focus (scope) of a real-world domain (food industry), which is used as empirical basis for specifying control patterns. In behalf of that, the resulting research questions are:

RQ1: What is the scope of regulations in the food industry?

RQ2: To what extent can regulations be formalized by control patterns?

To answer these two research questions, we discuss related work and present a conceptual model for automating compliance checking in Section 2. In Section 3 we continue with the textual analysis of German food regulations. The regulations have been retrieved by querying the database of the Federal Ministry of Justice and Con- sumer Protection [2]. The title search for the keyword “food” led to 20 national regu- lations, which were analyzed to specify requirement, objective and risk for every single regulation. Control patterns that are extracted from regulations are classified with regard to the given process information. Concluding remarks and prospects on future work are given in Section 5.

2 Principles of Control Patterns

2.1 Related Work and Problem Specification

Considerable work on patterns has been provided by Dwyer, Avrunin and Corbett (1999), who developed a pattern system for finite-state verification based on a large sample of over 500 examples of property specifications [1]. Extensive work on compliance automation has also been conducted by Sadiq, Governatori (2015) [9], Namiri (2007) [8] as well as Turetken et al. (2012) [13] by exploiting formal tech- niques (e.g. MTL/LTL and FCL) in alignment to the de facto standard COSO for managing internal controls. COSO has been settled by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to comply with significant regulations like SOX [12]. We decided to build our conceptual model upon the four con- trol patterns Order, Occurrence, Resource and Time suggested by Turetken et al.

(2012) [13] because of the existence of a framework for the key elements of business process compliance management (BPCM) and its alignment to an established control framework like COSO. The key elements of BPCM refer to the operational activities of compliance management (e.g. risk assessment and response) and corresponding entities of the compliance repository (e.g. risk).

(3)

2.2 Conceptual Model for Capturing Compliance Controls

In order to capture compliance controls in the food industry we adopted the BPCM framework of Turetken et al. (2012) [13]. The focus of the framework has been shift- ed from operational compliance management activities to the formalization of natural text language through control patterns. Control Patterns form a separate layer in the continuum of abstraction ranging from Regulations to machine-readable Process Exe- cution Languages (see Fig. 1). Each layer contains several process elements repre- sented by different operands (compare Section 3.2). Regulations are the source of compliance requirements used to define the requirement, objective and risk of a con- trol. The smallest entity of a Regulation is a rule. In this layer relevant rules are adopted, control objectives are set and possible risks are assed. The next layer is as- signed to the scope of Control Patterns. Within this layer the templates for process controls are defined and classified. In the bottom layer we specified a number of crite- ria for selecting a compatible Process Execution Language to pave the way for auto- mated compliance controls.

Fig. 1. Conceptual model for compliance checking¹

As we conducted a facet classification on compliance checking approaches in pre- vious work [3], we adopted one of its dimensions to assess the scope of regulations in the food industry. We chose the dimension Scope because we wanted to analyze the applicability of its elements in more detail. The dimension Scope is based on the compliance concerns identified by COMPAS, a study on Compliance-driven Models, Languages and Architectures for Services (COMPAS), which has been conducted by Tilburg University (2008) [12]. The study introduces two categories of compliance

1 In alignment to Turetken et al. (2012).

Regulations

Control Patterns

Objective Risk

Requirement

Occurence Order Information

Location

Resource Time Temperature

define access

execute Mesjkjod

Process Execution Languages

Expressiveness Usability Applicability Adoption of relevant rules

Specification of process requirements

Automation of control patterns

Risk Objective

Requirement Rule

Activity Control

Object Process

Process Element forms

compromises forms

validates forms

Process Instance

Process Element Instance

has

compromises

has

(4)

concerns that have been aligned from business process modeling. The first category comprises the basic compliance concerns control flow, locative, information, resource and time. The second category describes more advanced compliance concerns (e.g.

monitoring, privacy and quality aspects).

3 Applying Control Patterns to Capture Compliance Controls

3.1 Text Analysis of Regulations in the Food Industry

Regulations for the German food industry have been discovered by searching the database of the Federal Ministry of Justice and Consumer Protection, which claims to offer nearly the entire body of federal law [2]. A title search for the German equiva- lent for “food” returned 20 hits of national regulations, which were further analyzed to gain information on the requirement, objective and risk of each regulation. The analysis of subsequent paragraphs and sections of each regulation led us to a total of 108 single requirements with process characteristics. The requirements are used to extract important process information for specifying control patterns. While a requirement can be seen as an early stage of a control pattern, the objective is necessary to express the importance of each control and the risk to access the negative conse- quence of non-compliance. Table 1 shows an excerpt of the complete listing which is addressing the scope of compliance regulations (compare RQ1). The advantage of the chosen examples is that they cover nearly all facets of the dimension Scope, which is used in Section 3.2 to demonstrate the transformation from compliance requirements to control patterns. The retrieved types of regulations vary from the definition of:

• quality controls,

• hygiene and purity requirements,

• requirements regarding the processing of goods,

• preventing the spread of animal diseases,

• requirements regarding transport and storage,

• disclosure agreements to

• tax and export regulations.

Regulation Requirement Objective Risk

01

LMÜV

§ 5, Sec. 1

(1) Fulfil occasionally im- posed obligations to combat animal diseases.

(2) Take precaution if infectious animal diseases occur.

Conduct quality controls if infectious animal diseases are reported.

Spread of infectious animal diseases.

02

LMEV

§ 9, Sec. 2

Export goods within 30 days to a third country or store goods within 60 days in an approved or registered national storage unit.

Export goods within a certain time limit or store goods in an approved or registered national storage.

Violation of tax and import regulations.

(5)

03 LME Appendix 4, Chapter I, No. 3

Depending on the statutory sample size, a sensory test- ing and a legal assessment have to be conducted after opening the packaging.

Conduct quality control to check goods after opening the packaging.

Processing, trade and consumption of spoiled or contaminated goods.

04

TLMV

§ 2

During deep freezing, goods have to be separated from specified inadmissible substances.

Prevent contact to forbidden substances.

05 ATP

§ 5

Containers classified as thermal maritime by land without transloading the goods does not require an export permit.

Transport goods without permit if containers are classified as thermal maritime by land.

Violation of disclosure agreements.

06

LMHV

§ 20

Transport and store chicken eggs 18 days after laying date at a temperature be- tween 5 °C and 8 °C.

Transport special goods within a certain time limit at a given temperature range.

Table 1. Examples for regulations in the food industry

After completing the text analysis by following the example of Table 1, we were able to identify four different risk types that are representative for our sample of regulations in the food industry, namely the:

• processing, trade and consumption of spoiled or contaminated goods,

• spread of infectious animal diseases,

• violation of disclosure agreements and

• violation of tax and import regulations.

Subsequent risks are negative consequences like disposal costs, sanctions and financial penalties or even health hazards. However, these consequences depend on the risks above so they have not been considered as single risk types. Given these explicit information on requirement, objective and risk the next Section is dedicated to the control pattern layer that serves as intermediary to automate compliance controls with process execution languages (compare Section 2.2).

3.2 Specification of Control Patterns in the Food Industry

The formalization of legal text implies to find a reasonable abstraction level. This raises the question to what extent regulations can be formalized by simple constructs like control patterns (compare RQ2). Table 2 provides an overview on frequent control patterns in the food industry. Due to space limitations, only those patterns have

(6)

been listed that have been applied to formalize compliance regulations. The frequency (FRQ) indicates how often a pattern has been used and to which category it belongs.

The listing contains 21 unique control patterns that can be combined to express even more complex compliance requirements using operands and Boolean delimiters (see Table 3). Patterns can be defined using simple verb constructs and prepositions (e.g.

O_i CompliesWith Q_i). Operands are either used to specify general process elements (e.g. object O_i)or specific compliance concerns (e.g. quality control Q_i), which were introduced in Section 2.2. A complete description of operands is given in Table 2.

Pattern Description

FRQ

Given A, O, l, p, k and t as operands representing process elements:

A = activity, O = object, l = location, p = production facility, k = time, t = temperature and

Q, D and P as operands representing compliance concerns:

Q = quality, D = disclosure and P = security precautions, with i, j = 1, 2, 3, …n, i ≠ j and constant m.

Order Basic Aj Precedes Ai 1 Ai must be preceded by Aj. Ai LeadsTo Aj 1 Ai must be followed by Aj.

Res. Basic

Oi Exclusive Oj 6 If Oi is present then Oj must be absent and vice versa.

Oi Exists 3 Oi must exist in the process specification.

Location Basic

ProcessedWith pi 5 Used with order and occurrence patterns to denote a given Oi is processed with production facility pi.

StoredIn li 4 Used with order and occurrence patterns to denote a given Oi is stored in storage unit li.

MovedFrom li MovedTo lj 4 Used with order and occurrence to denote a given Oi is moved from storage unit li to another storage unit lj. (Oi , …; m) Multi-

ProcessedWith pi

3 A set of objects (Oi , …) has to be processed with a certain number of m different production facilities pi.

(Oi ,…; m) Multi-

StoredIn li 1 A set of objects (Oi , …) has to be stored in a certain number of m different storage units li.

Information Advanced

Oi CompliesWith Qi 24

Object Oi complies with quality standards, hygiene and purity requirements by passing regular quality controls as well as extraordinary quality controls Qi. Subject of these controls are e.g. temperature, weight, date of expiry, ingredients, texture and consistence.

Oi CompliesWith Di 10

Object Oi complies with disclosure requirements Di. Sub- ject of these requirements are the consumer protection, tax and import regulations e.g. by correct and complete product declaration, complying with quality and security standards, transparent production processes and a tracea- ble supply chain.

Ai CompliesWith Pi 3

Activity Ai has to be performed with special security precautions Pi in order to protect users from e.g. infectious animal diseases.

Ai CompliesWith Qi 2

Activity Ai complies with quality standards, hygiene and purity requirements by applying regular quality controls as well as extraordinary quality controls Qi (e.g. to prevent the spread of animal diseases).

(7)

Time Basic Within k 10 Used with order pattern to denote a given Ai to happen within k time units.

Before k 2 Used with order patterns to denote a given Ai to happen before k time units.

Adv. Ai ExistsMax/Min k 2 Ai must hold at most/minimum k time units once it hap- pens

Ai ExistsEvery k 1 Ai must happen in every k time unit.

Temperature Basic

Within tj and ti 7 Used with time patterns to denote a given Oi is tempered within temperature t (with i > j).

Below t 7 Used with time patterns to denote a given Oi is tempered below temperature t.

ExactlyAt t 1 Used with time patterns to denote a given Oi is tempered exactly at temperature t.

Adv.

Oi ExistsMax/Min t 1 Object Oi has to be tempered at most/minimum at tempera- ture t.

Table 2. Specification of frequent control patterns in the food industry²

To formalize the requirements given in Table 2, we distinguish a number of typical keywords for each pattern. For example, a control is often aligned to the assurance of quality standards, so that the word “control” is tied to an Information pattern. Re- source patterns (Res.) are usually described by expressions that indicate how goods should be handled, which is indicated by word orders like “prevent contact”. Location patterns are clearly addressed if something is about to be “processed”, “moved” or

“stored”. Depending on the context, keywords like “within” or “below” can also indi- cate if a pattern depends on Time and/or Temperature pattern. The most important indicators to classify control patterns with regard to our conceptual model for automating checking are:

• temporal order (e.g. precedes or leads),

• occurrence (e.g. exists, absent or universal),

• human resource (e.g. to segregate or merge activities),

• location in conjunction with the process status (e.g. processed, moved or stored),

• time limitation (e.g. interval, minimum or maximum) and

• temperature setting (e.g. within, below, above or exactly at).

Instead of the control flow proposed by COMPAS [12] we used the three patterns Time, Order and Occurrence recommended by Turetken et al. (2012) [13] and ex- panded the focus of the Resource pattern from the segregation of duties to the segre- gation of input goods. Besides, we added an information, location and temperature pattern. The Information pattern indicates which legal source, control objective and risk is addressed or whether the requirements of a quality control, security precaution or disclosure agreement is met. This ensures transparency and provides valuable con-

2 According to Turetken et al. (2012). Newly added control patterns are indicated by a grey filled table row.

(8)

text information about the impact of different food regulations. The Location pattern considers how goods should be stored, moved or where they are processed with re- gard to time and temperature constraints. The Temperature pattern is necessary to capture compliance regulations regarding the storage and transport of perishable food.

The final set of control patterns consists of seven categories: Order, Occurrence, Resource, Location, Information, Time and Temperature. Table 3 concludes with the formalization of compliance regulations that started with Table 1. It shows simple patterns as well as more complex patterns to demonstrate the applicability of the most frequent compliance patterns in the food industry.

Control Patterns

Order Occurrence Resource Location Information Time Temperature

01 Oi CompliesWith Qi AND Ai CompliesWith

Pi AND Oi ProcessedWith pi

02 (Oi MovedFrom li MovedTo lj Within k)

OR (Oi StoredIn li Within k)

03 Ai LeadsTo Aj AND Oi CompliesWith Qi

04 Oi Exclusive Oj

05 (Oi MovedFrom li MovedTo lj AND Oi

Exists) AND Oi CompliesWith Di

06 (MovedFrom li MovedTo li OR StoredIn li)

Within tj and ti

Table 3. Examples for control patterns in the food industry

4 Conclusion and Outlook

In this contribution we applied a pattern-based approach for specifying compliance controls in the food industry. Based on a sample of 20 legal text documents, provided by the German Federal Ministry of Justice and Consumer Protection law database, we derived 108 legal statements with process character. These were used to analyze the content of every regulation concerning requirement, objective and risk. To access the scope of food regulations we adopted a business process compliance framework and expanded it by refining the Scope of control patterns by Resource, Location, Infor- mation and Temperature patterns. Determining the frequency of compliance patterns we were able to present a list of relevant control patterns in the food industry. The use of control patterns has been illustrated by a choice of regulations which address the previously defined facets of the Scope dimension. This led to a deeper understanding of the involved process elements and compliance concerns, which will help to evaluate the benefits and boundaries of current process execution languages used for com-

(9)

pliance checking. Future work will be guided by the research question, how control patterns can be used to automate compliance controls. Remaining challenges, regarding the syntax of control patterns, deal with the accuracy versus complexity of applied control patterns and a standardized use of patterns and connectors that enable the implementation of compliance patterns by common process execution languages. To improve the approach further, we will evaluate the usability for the average user with basic IT knowledge and the process modeler with high IT affinity as well.

References

1. Dwyer, M. B., Avrunin, G. S., Corbett, J. C.: Patterns in property specifications for finite- state verification. In: IEEE International Conference on Software Engineering, pp. 411–

420. IEEE Press, New York (1999)

2. Federal Ministry of Justice and Consumer Protection, Juris (Bundesministerium für Justiz und Verbraucherschutz – BMJ): http://www.gesetze-im-internet.de

3. Fellmann, M., Zasada, A.: State-of-the-Art of Business Process Compliance Approaches:

A Survey, Proceedings of the 22nd European Conference on Information Systems (ECIS), Tel Aviv (2014)

4. Foodwatch: http://www.foodwatch.org/en/what-we-do/campaigns/foodwatch-campaigns 5. Hashmi, M., Governatori, G., Wynn, M.T.: Normative requirements for business process

compliance. Service Research and Innovation, pp. 100–116. Springer, Berlin (2014) 6. Merriam-Webster, An Encyclopædia Britannica Company: Compliance,

http://www.merriam-webster.com/dictionary/compliance

7. Merriam-Webster, An Encyclopædia Britannica Company: Regulation, http://www.merriam-webster.com/dictionary/regulation

8. Namiri, K. and Stojanovic, N.: Pattern-based design and validation of business process compliance. In: Proceedings of 6th On The Move Conference (OTM), Tari, Z. (ed.), LNCS 4083, pp. 59–76. Springer, Berlin, (2007)

9. Sadiq, S. and Governatori, G.: Managing Regulatory Compliance in Business Processes.

In: Handbook on Business Process Management 2: Strategic Alignment, Governance, People and Culture, International Handbooks on Information Systems, vom Brocke, J., Rosemann, M. (eds.), vol. 2, pp. 265–288. Springer, Berlin (2015)

10. Shears, P.: Food Fraud: A Current Issue but an Old Problem. British Food Journal, vol.

112, no. 2, pp. 198–213 (2010)

11. SOX: Sarbanes-Oxley Act of 30 July 2002, 15 USC 7201 note, Public Law 107-204, 107th Congress, 116 Statistics Act, Sec. 404, pp. 745–810 (2002)

12. Tilburg University: State-of-the-Art for Compliance Languages: Compliance-driven Mod- els, Languages, and Architectures for Services, Specific Targeted Research Project. Infor- mation Society Technologies (COMPAS Project no. 215175, D2.1), Netherlands (2008) 13. Turetken, O., Elgammal, A., Van den Heuvel, W.J., Papazoglou, M.P.: Capturing compli-

ance requirements: A pattern-based approach. IEEE, vol. 29, no. 3, pp. 28–36. IEEE Press, New York (2012)

14. Weber, O., Diaz, M., Schwegler, R.: Corporate social responsibility of the financial sector – Strengths, weaknesses and the impact on sustainable development. Sustainable Develo- pment, vol. 22, no. 5, pp. 321–335 (2014)